Is is possible to alter the email notifications sent via SNS from Cloudwatch alarms?

1

Customer has used the prescriptive CIS benchmarks document to set up some Cloudwatch alarms:

https://www.cisecurity.org/benchmark/amazon_web_services/

The issue they are having is that the alarm emails that are sent out via SNS are not particuarly useful. They'd like to include more context about the event so they don't have to go hunting for details manually. Here's an example alert (truncated):

    Alarm Details:
    - Name:                       IAM Policy Changes
    - Description:                Amazon CloudWatch alarm that is triggered when an API call is made to change an IAM policy.
    - State Change:               INSUFFICIENT_DATA -> ALARM
    - Reason for State Change:    Threshold Crossed: 1 out of the last 1 datapoints [2.0 (17/12/19 03:24:00)] was greater than or equal to the threshold (1.0) (minimum 1 datapoint for OK -> ALARM transition).
    - Timestamp:                  Tuesday 17 December, 2019 03:29:42 UTC
    - AWS Account:                XXXXXXXXXXXX

The alert shows that an IAM policy changed, but doesn't show:

  • which policy changed, or
  • what the change was.

Is there a way to change the alert or notification to include more data?

1 Answer
1
Accepted Answer

Can you confirm the customer is taking the approach outline here? Essentially the solution to the question you're posing is alarm enrichment and typically that happens by additional plumbing that queries the resource(s) in question. As a CloudWatch alarm is just that (an alarm) based off a predefined metric, getting enrichment data directly would be challenging. The metric is simply counting how many times specific eventNames occur in your log group.

To get more detail (without doing enrichment), it seems like a Config rule sending data via a Event Bridge/CloudWatch Event Rule that triggers a Lambda function and/or SNS topic may yield the information the customer wants? There is a slightly dated by still useful walk-through here.

AWS
EXPERT
Frank_P
answered 4 years ago
  • Adding a host of links to read defeats the whole purpose of the Q&A forum. Adding an example will surely help.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions